A pro-Ukrainian cybercrime group known as Bearlyfy has intensified attacks against Russian companies, now deploying a custom ransomware variant called GenieLocker. Since emerging in January 2025, the group has been linked to more than 70 cyber incidents targeting Russian businesses, blending financial extortion with sabotage.
According to Russian cybersecurity firm F6, Bearlyfy—also referred to as Labubu—has evolved from opportunistic attacks on smaller enterprises to high-profile operations demanding substantial ransoms. Early campaigns leveraged ransomware families such as LockBit 3 (Black) and Babuk, with initial demands around €80,000 ($92,100). By mid-2025, the group had reportedly affected at least 30 organizations.
Starting in May 2025, Bearlyfy began using a modified version of PolyVice, a ransomware linked to Vice Society (DEV-0832, also known as Vanilla Tempest). This toolkit allowed them to deploy third-party lockers, including Hello Kitty, Zeppelin, RedAlert, and Rhysida, broadening the scope of their attacks.
Further analysis reveals connections between Bearlyfy and PhantomCore, another pro-Ukrainian hacking collective known for targeting Russian and Belarusian companies since 2022. The group has also been linked to collaborations with Head Mare, signaling a networked approach to cyber sabotage.
Bearlyfy typically gains initial access through vulnerable applications or external services, then deploys tools like MeshAgent to facilitate remote access and enable rapid encryption, destruction, or alteration of data. Unlike PhantomCore, which conducts long-term, APT-style operations, Bearlyfy focuses on fast-moving attacks with minimal preparation. Notably, ransom notes are manually crafted by the group, rather than automatically generated by the ransomware itself, adding a psychological dimension to their extortion strategy.
Data from F6 suggests roughly 20% of victims have paid ransoms, which have escalated over time, sometimes reaching hundreds of thousands of dollars. The introduction of GenieLocker in March 2026 marks a significant evolution. Inspired by Venus and Trinity ransomware families, GenieLocker targets Windows systems and maintains Bearlyfy’s hallmark of rapid, high-impact encryption attacks.
“Bearlyfy has transformed from an experimental threat actor into a formidable adversary for Russian enterprises within a single year,” F6 stated. The group’s continued innovation in ransomware development highlights the persistent cyber risks facing organizations in the region.
